Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Issue with az desktopvirtualization using old API which is exposing the registrationtoken to users who dont have permission to view it #4580

Closed
sayandaw opened this issue Mar 27, 2022 · 1 comment · Fixed by #4526
Closed

Security Issue with az desktopvirtualization using old API which is exposing the registrationtoken to users who dont have permission to view it #4580

sayandaw opened this issue Mar 27, 2022 · 1 comment · Fixed by #4526
Assignees
@wangzelin007
Labels
Auto-Assign Auto assign by bot customer-reported Issues that are reported by GitHub users external to the Azure organization. Desktop Virtualization
Milestone
Backlog

Comments

@sayandaw
Copy link

sayandaw commented Mar 27, 2022
edited
Loading

Extension name (the extension in question)

desktopvirtualization

Description of issue (in as much detail as possible)

az desktopvirtualization hostpool list is using a old API Version : api-version=2019-12-10-preview

So when a user who does not have permission to read the HostPool registration token can easily expose it from the az cli.

Risk

Users are able to steal the token and can register any machine they want to the HostPool

Detail of the issue

As you can see, I can view the token, even when I dont have access to see this on the Portal. I can use this token to register any machine.

 "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkZDMTBFOUQzNUQ4MEFCMjQyMTM2MTJBMDIwQjA3Q0U2Q0UxODRGMDAiLCJ0eXAiOiJKV1Qi"

I have altered the token here in the example for security reasons ofcourse

PS C:\Users\azcli> az desktopvirtualization hostpool list
[
 {
   "applicationGroupReferences": [
     "/subscriptions/0000000000000000000000000000000000/resourcegroups/rg-avd-ddg-XXXXXX-tst-weu-test/providers/Microsoft.DesktopVirtualization/applicationgroups/ag-avd-ddg-XXXXXX-tst-weu-test"
   ],
   "customRdpProperty": "enablecredsspsupport:i:1;authentication level:i:0;audiomode:i:0;videoplaybackmode:i:1;",
   "description": "",
   "friendlyName": "",
   "hostPoolType": "Personal",
   "id": "/subscriptions/0000000000000000000000000000000000/resourcegroups/rg-avd-ddg-XXXXXX-tst-weu-test/providers/Microsoft.DesktopVirtualization/hostpools/hp-avd-ddg-XXXXXX-tst-weu-test",
   "kind": null,
   "loadBalancerType": "Persistent",
   "location": "westeurope",
   "maxSessionLimit": 999999,
   "name": "hp-avd-ddg-XXXXXX-tst-weu-test",
   "personalDesktopAssignmentType": "Direct",
   "registrationInfo": {
     "expirationTime": "2022-04-04T15:22:57.687747+00:00",
     "registrationTokenOperation": "None",
     "resetToken": false,
     "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkZDMTBFOUQzNUQ4MEFCMjQyMTM2MTJBMDIwQjA3Q0U2Q0UxODRGMDAiLCJ0eXAiOiJKV1Qi"
   },
   "resourceGroup": "rg-avd-ddg-XXXXXX-tst-weu-test",
   "ring": null,
   "ssoContext": null,
   "systemData": {
     "createdAt": "2022-03-04T13:53:30.97Z",
     "createdBy": "0000000000000000000000000000000000",
     "createdByType": "Application",
     "lastModifiedAt": "2022-03-16T13:37:32.57Z",
     "lastModifiedBy": "0000000000000000000000000000000000",
     "lastModifiedByType": "Application"
   },
   "type": "Microsoft.DesktopVirtualization/hostpools",
   "validationEnvironment": false,
   "vmTemplate": null
 }

]

Mitigation

Remove use of old API "2019-12-10-preview" instead use latest API "api-version=2021-07-12" which does not have this issue.
@ghost ghost added question The issue doesn't require a change to the product in order to be resolved. Most issues start as that customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot Desktop Virtualization labels Mar 27, 2022
@ghost ghost assigned wangzelin007 Mar 27, 2022
@ghost ghost added this to the Backlog milestone Mar 27, 2022
@yonzhan
Copy link
Collaborator

yonzhan commented Mar 27, 2022

desktopvirtualization

@yonzhan yonzhan removed the question The issue doesn't require a change to the product in order to be resolved. Most issues start as that label Mar 27, 2022
@sayandaw sayandaw mentioned this issue Mar 27, 2022
Closed
2 tasks
@wangzelin007 wangzelin007 linked a pull request Mar 28, 2022 that will close this issue
[desktopvirtualization] Bump version to 2021-07-12 #4526
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wangzelin007 wangzelin007

Labels
Auto-Assign Auto assign by bot customer-reported Issues that are reported by GitHub users external to the Azure organization. Desktop Virtualization
Projects
None yet
Milestone
Backlog
2 participants
@wangzelin007 @yonzhan